mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-06 22:40:14 -05:00
c93f03b87e
closes #5599 If two users edit the same post, it can happen that they override each others content or post settings. With this change this won't happen anymore. ✨ Update collision for posts - add a new bookshelf plugin to detect these changes - use the `changed` object of bookshelf -> we don't have to create our own diff - compare client and server updated_at field - run editing posts in a transaction (see comments in code base) 🙀 update collision for tags - `updateTags` for adding posts on `onCreated` - happens after the post was inserted --> it's "okay" to attach the tags afterwards on insert --> there is no need to add collision for inserting data --> it's very hard to move the updateTags call to `onCreating`, because the `updateTags` function queries the database to look up the affected post - `updateTags` while editing posts on `onSaving` - all operations run in a transactions and are rolled back if something get's rejected - Post model edit: if we push a transaction from outside, take this one ✨ introduce options.forUpdate - if two queries happening in a transaction we have to signalise knex/mysql that we select for an update - otherwise the following case happens: >> you fetch posts for an update >> a user requests comes in and updates the post (e.g. sets title to "X") >> you update the fetched posts, title would get overriden to the old one use options.forUpdate and protect internal post updates: model listeners - use a transaction for listener updates - signalise forUpdate - write a complex test use options.forUpdate and protect internal post updates: scheduling - publish endpoint runs in a transaction - add complex test - @TODO: right now scheduling api uses posts api, therefor we had to extend the options for api's >> allowed to pass transactions through it >> but these are only allowed if defined from outside {opts: [...]} >> so i think this is fine and not dirty >> will wait for opinions >> alternatively we have to re-write the scheduling endpoint to use the models directly
100 lines
4.1 KiB
JavaScript
100 lines
4.1 KiB
JavaScript
var _ = require('lodash'),
|
|
Promise = require('bluebird'),
|
|
moment = require('moment'),
|
|
config = require('../config'),
|
|
pipeline = require(config.get('paths').corePath + '/server/utils/pipeline'),
|
|
dataProvider = require(config.get('paths').corePath + '/server/models'),
|
|
i18n = require(config.get('paths').corePath + '/server/i18n'),
|
|
errors = require(config.get('paths').corePath + '/server/errors'),
|
|
apiPosts = require(config.get('paths').corePath + '/server/api/posts'),
|
|
utils = require('./utils');
|
|
|
|
/**
|
|
* Publish a scheduled post
|
|
*
|
|
* `apiPosts.read` and `apiPosts.edit` must happen in one transaction.
|
|
* We lock the target row on fetch by using the `forUpdate` option.
|
|
* Read more in models/post.js - `onFetching`
|
|
*
|
|
* object.force: you can force publishing a post in the past (for example if your service was down)
|
|
*/
|
|
exports.publishPost = function publishPost(object, options) {
|
|
if (_.isEmpty(options)) {
|
|
options = object || {};
|
|
object = {};
|
|
}
|
|
|
|
var post, publishedAtMoment,
|
|
publishAPostBySchedulerToleranceInMinutes = config.get('times').publishAPostBySchedulerToleranceInMinutes;
|
|
|
|
// CASE: only the scheduler client is allowed to publish (hardcoded because of missing client permission system)
|
|
if (!options.context || !options.context.client || options.context.client !== 'ghost-scheduler') {
|
|
return Promise.reject(new errors.NoPermissionError({message: i18n.t('errors.permissions.noPermissionToAction')}));
|
|
}
|
|
|
|
options.context = {internal: true};
|
|
|
|
return pipeline([
|
|
utils.validate('posts', {opts: utils.idDefaultOptions}),
|
|
function (cleanOptions) {
|
|
cleanOptions.status = 'scheduled';
|
|
|
|
return dataProvider.Base.transaction(function (transacting) {
|
|
cleanOptions.transacting = transacting;
|
|
cleanOptions.forUpdate = true;
|
|
|
|
// CASE: extend allowed options, see api/utils.js
|
|
cleanOptions.opts = ['forUpdate', 'transacting'];
|
|
|
|
return apiPosts.read(cleanOptions)
|
|
.then(function (result) {
|
|
post = result.posts[0];
|
|
publishedAtMoment = moment(post.published_at);
|
|
|
|
if (publishedAtMoment.diff(moment(), 'minutes') > publishAPostBySchedulerToleranceInMinutes) {
|
|
return Promise.reject(new errors.NotFoundError({message: i18n.t('errors.api.job.notFound')}));
|
|
}
|
|
|
|
if (publishedAtMoment.diff(moment(), 'minutes') < publishAPostBySchedulerToleranceInMinutes * -1 && object.force !== true) {
|
|
return Promise.reject(new errors.NotFoundError({message: i18n.t('errors.api.job.publishInThePast')}));
|
|
}
|
|
|
|
return apiPosts.edit({
|
|
posts: [{status: 'published'}]},
|
|
_.pick(cleanOptions, ['context', 'id', 'transacting', 'forUpdate', 'opts'])
|
|
);
|
|
});
|
|
});
|
|
}
|
|
], options);
|
|
};
|
|
|
|
/**
|
|
* get all scheduled posts/pages
|
|
* permission check not needed, because route is not exposed
|
|
*/
|
|
exports.getScheduledPosts = function readPosts(options) {
|
|
options = options || {};
|
|
options.context = {internal: true};
|
|
|
|
return pipeline([
|
|
utils.validate('posts', {opts: ['from', 'to']}),
|
|
function (cleanOptions) {
|
|
cleanOptions.filter = 'status:scheduled';
|
|
cleanOptions.columns = ['id', 'published_at', 'created_at'];
|
|
|
|
if (cleanOptions.from) {
|
|
cleanOptions.filter += '+created_at:>=\'' + moment(cleanOptions.from).format('YYYY-MM-DD HH:mm:ss') + '\'';
|
|
}
|
|
|
|
if (cleanOptions.to) {
|
|
cleanOptions.filter += '+created_at:<=\'' + moment(cleanOptions.to).format('YYYY-MM-DD HH:mm:ss') + '\'';
|
|
}
|
|
|
|
return dataProvider.Post.findAll(cleanOptions)
|
|
.then(function (result) {
|
|
return Promise.resolve({posts: result.models});
|
|
});
|
|
}
|
|
], options);
|
|
};
|